Application description 04/2017 NERC CIP Compliance Matrix of RUGGEDCOM RUGGEDCOM https://support.industry.siemens.com/cs/ww/en/view/109747098
Warranty and Liability Warranty and Liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.industry.siemens.com. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 2
Table of Contents Table of Contents Warranty and Liability... 2 1 Overview... 4 2 CIP-005-5.1: Cyber Security BES Cyber System Categorization... 5 3 CIP-003-6: Cyber Security Security Management Controls... 7 4 CIP-04-6: Cyber Security Personnel & Training... 9 5 CIP-005-5: Cyber Security Electronic Security Perimeter(s)... 11 6 CIP-006-6: Cyber Security Physical Security of BES Cyber Systems... 14 7 CIP-007-6: Cyber Security Systems Security Management... 15 8 CIP-008-5: Cyber Security Incident Reporting and Response Planning... 25 9 CIP-009-6: Cyber Security Recovery Plans for BES Cyber Systems... 28 10 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability... 29 11 CIP-011-2: Cyber Security Information Protection... 34 12 References... 39 13 Glossary of Terms... 39 14 Related Literature... 40 15 History... 40 NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 3
1 Overview 1 Overview On January 21 st, 2016, FERC issued Order 822 approving version 6 of the NERC standards involving revisions to seven NERC Critical Infrastructure Protection Standards and six new or modified terms. February 25, 2016 FERC grants the motion requesting an extension of time for the implementation for the v5 s to match the V6 standards which will generally go into effect on July 1, 2016, with the Low Impact and Transient Devices s going into effect on April 1, 2017. Siemens RUGGEDCOM is a scalable enterprise software solution tailored to provide secure, intermediate access to remote IED s. It was conceptualized and designed to implement the best practices and procedures from Information Technology (IT) and bring it to the Operation Technology (OT) environment, initially with the needs of the Electric Utilities in mind, but positioned for expansion into other security sensitive markets. Developed as a centralized solution to provide strong, two factor authentication for authorized users, it delivers cyber-secure access to remote users for the management of IED s and their associated files. Through RUGGEDCOM, an IED maintenance application is allowed to remotely communicate with its associated IED s as if the users were directly connecting to the device. The proceeding pages will list the NERC CIP standards and s for CIP v5 and v6 as they are written to go into effect on July 1, 2016 and how Siemens RUGGEDCOM can be used to assist as part of CIP program to address certain s. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 4
2 CIP-005-5.1: Cyber Security BES Cyber System Categorization 2 CIP-005-5.1: Cyber Security BES Cyber System Categorization Purpose To identify and categorize BES their associated BES Assets for the application of cyber security s commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to mis-operation or instability in the BES. Table 2-1: CIP-005-5.1: Cyber Security BES Cyber System Categorization Part R1 Requirement Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time Horizon: Operations Planning] i. Control Centers and backup Control Centers; ii. Transmission stations and substations; iii. Generation resources; iv. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching s; v. Special Protection Systems that support the reliable operation of the Bulk Electric System; and vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above. or support the contains a database of all substation cyber assets under its control. Integral critical cyber asset reports identify: All CCAs (for pre-v5 compatibility) All cyber assets High/Medium/Low impact rating All assets added or edited since a given date Key configuration parameters Current firmware version (for select device types) This function of allows for easy categorization of impact level (High, Medium, and Low) M1 R2 1.1. Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset; 1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and 1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required). Acceptable evidence includes, but is not limited to, dated electronic or physical lists required by Requirement R1, and Parts 1.1 and 1.2. The Responsible Entity shall: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] 2.1. Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and Printed Cyber asset report format includes area for review information, e.g. Reviewer name, title, date, & signature. Reports may be scheduled in advance and emailed to assigned reviewers to ensure timely review. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 5
2 CIP-005-5.1: Cyber Security BES Cyber System Categorization Part M2 Requirement 2.2. Have its CIP Senior Manager or delegates approve the identifications required by Requirement R1 at least once every 15 calendar months, even if it has no identified items in Requirement R1. Acceptable evidence includes, but is not limited to, electronic or physical dated records to demonstrate that the Responsible Entity has reviewed and updated, where necessary, the identifications required in Requirement R1 and its parts, and has had its CIP Senior Manager or delegate approve the identifications required in Requirement R1 and its parts at least once every 15 calendar months, even if it has none identified in Requirement R1 and its parts, as required by Requirement R2. or support the NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 6
3 CIP-003-6: Cyber Security Security Management Controls 3 CIP-003-6: Cyber Security Security Management Controls Purpose To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to mis-operation or instability in the Bulk Electric System (BES). Table 3-1: CIP-003-6: Cyber Security Security Management Controls Part R1 M1 Requirement Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] 1.1. For its high impact and medium impact BES Cyber Systems, if any: 1.1.1. Personnel and training (CIP-004); 1.1.2. Electronic Security Perimeters (CIP- 005) including Interactive Remote Access; 1.1.3. Physical security of BES Cyber Systems (CIP-006); 1.1.4. System security management (CIP- 007); 1.1.5. Incident reporting and response planning (CIP-008); 1.1.6. Recovery plans for BES Cyber Systems (CIP-009); 1.1.7. Configuration change management and vulnerability assessments (CIP-010); 1.1.8. Information protection (CIP-011); and 1.1.9. Declaring and responding to CIP Exceptional Circumstances. 1.2. For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any: 1.2.1. Cyber security awareness; 1.2.2. Physical security controls; 1.2.3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and 1.2.4. Cyber Security Incident response limited to, policy documents; revision history, records of review, or workflow evidence from a document management system that indicate review of each cyber security policy at least once every 15 calendar months; and documented approval by the CIP Senior Manager for each cyber security policy. or support the N/A (process documentation ) R2 Each Responsible Entity with at least one asset N/A (process documentation ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 7
3 CIP-003-6: Cyber Security Security Management Controls Part Requirement or support the identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] Note: An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required. M2 R3 M3 R4 M4 Evidence shall include each of the documented cyber security plan(s) that collectively include each of the sections in Attachment 1 and additional evidence to demonstrate implementation of the cyber security plan(s). Additional examples of evidence per section are located in Attachment 2. Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] limited to, a dated and approved document from a high level official designating the name of the individual identified as the CIP Senior Manager. The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the name or title of the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation. Delegation changes do not need to be reinstated with a change to the delegator. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] limited to, a dated document, approved by the CIP Senior Manager, listing individuals (by name or title) who are delegated the authority to approve or authorize specifically identified items. administrator can identify the person/people responsible for NERC compliance by name and provide them with access to reports only. N/A (process documentation ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 8
4 CIP-04-6: Cyber Security Personnel & Training 4 CIP-04-6: Cyber Security Personnel & Training Purpose R1 M1 To minimize the risk against compromise that could lead to mis-operation or instability in the Bulk Electric System (BES) from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems. Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable parts in CIP-004-6 Table R1 Security Awareness Program. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] Evidence must include each of the applicable documented processes that collectively include each of the applicable parts in CIP-004-6 Table R1 Security Awareness Program and additional evidence to demonstrate implementation as described in the Measures column of the table. R2 M2 Each Responsible Entity shall implement one or more cyber security training program(s) appropriate to individual roles, functions, or responsibilities that collectively includes each of the applicable parts in CIP-004-6 Table R2 Cyber Security Training Program. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] Evidence must include the training program that includes each of the applicable parts in CIP-004-6 Table R2 Cyber Security Training Program and additional evidence to demonstrate implementation of the program(s). R3 M3 R4 Each Responsible Entity shall implement one or more documented personnel risk assessment program(s) to attain and retain authorized electronic or authorized unescorted physical access to BES Cyber Systems that collectively include each of the applicable parts in CIP-004-6 Table R3 Personnel Risk Assessment Program. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] Evidence must include the documented personnel risk assessment programs that collectively include each of the applicable parts in CIP-004-6 Table R3 Personnel Risk Assessment Program and additional evidence to demonstrate implementation of the program(s). Each Responsible Entity shall implement one or more documented access management program(s) that collectively include each of the applicable parts in CIP-004-6 Table R4 Access Management Program. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 9
4 CIP-04-6: Cyber Security Personnel & Training [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operations] M4 Evidence must include the documented processes that collectively include each of the applicable parts in CIP-004-6 Table R4 Access Management Program and additional evidence to demonstrate that the access management program was implemented as described in the Measures column of the table. Table 4-1: CIP-004-6: Cyber Security Personnel & Training Part Requirement or support the ALL ALL n/a (Process/documentation ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 10
5 CIP-005-5: Cyber Security Electronic Security Perimeter(s) 5 CIP-005-5: Cyber Security Electronic Security Perimeter(s) Purpose R1 M1 To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES. Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable parts in CIP-005-5 Table R1 Electronic Security Perimeter. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operations] Evidence must include each of the applicable documented processes that collectively include each of the applicable parts in CIP-005-5 Table R1 Electronic Security Perimeter and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 5-1: CIP-005-5: Table R1 Electronic Security Perimeter 1.1 High Impact BES PCA PCA 1.2 High Impact BES Cyber Systems with External Routable Connectivity and their associated: PCA Cyber Systems with External Routable Connectivity and their associated: PCA 1.3 Electronic Access Points for High Impact BES Cyber Systems Electronic Access Points for Medium All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. All External Routable Connectivity must be through an identified Electronic Access Point (EAP). Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. limited to, a list of all ESPs with all uniquely identifiable applicable Cyber Assets connected via a routable protocol within each ESP. limited to, network diagrams showing all external routable communication paths and the identified EAPs. limited to, a list of rules (firewall, access control lists, etc.) that demonstrate that only provides a report of all devices using a routable protocol, by facility provides a report of all Electronic Access Points, by facility A typical implementation results in the server being configured as the only system NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 11
5 CIP-005-5: Cyber Security Electronic Security Perimeter(s) Impact BES Cyber Systems 1.4 High Impact BES Cyber Systems with Dial-up Connectivity and PCA Cyber Systems with Dial-up Connectivity and PCA 1.5 Electronic Access Points for High Impact BES Cyber Systems Electronic Access Points for Medium Impact BES Cyber Systems at Control Centers Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. permitted access is allowed and that each access rule has a documented reason. limited to, a documented process that describes how the Responsible Entity is providing authenticated access through each dial-up connection. limited to, documentation that malicious communications detection methods (e.g. intrusion detection system, application layer firewall, etc.) are implemented. allowed to connect to the EAP for interactive access. This may be enforced with certificates, passwords, or other means. supports many 3rd party dial-up EAPs, and provides authenticated access to and through them. may be used to aggregate logs from EAPs, and generate alerts under specific conditions. R2 M2 Each Responsible Entity allowing Interactive Remote Access to BES Cyber Systems shall implement one or more documented processes that collectively include the applicable parts, where technically feasible, in CIP-005-5 Table R2 Interactive Remote Access Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operations] Evidence must include the documented processes that collectively address each of the applicable parts in CIP-005-5 Table R2 Interactive Remote Access Management and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 5-2: CIP-005-5: Table R2 Interactive Remote Access Management 2.1 High Impact BES PCA Utilize an Intermediate System such that the Cyber Asset initiating limited to, network Secure Access Manager acts as intermediate system between NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 12
5 CIP-005-5: Cyber Security Electronic Security Perimeter(s) Cyber Systems with External Routable Connectivity and their associated: PCA 2.2 High Impact BES PCA Cyber Systems with External Routable Connectivity and their associated: PCA 2.3 High Impact BES PCA Cyber Systems with External Routable Connectivity and their associated: PCA Interactive Remote Access does not directly access an applicable Cyber Asset. For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. Require multi-factor authentication for all Interactive Remote Access sessions. diagrams or architecture documents. limited to, architecture documents detailing where encryption initiates and terminates. limited to, architecture documents detailing the authentication factors used. authenticators may limited to, Something the individual knows such as passwords or PINs. This does not include User ID; Something the individual has such as tokens, digital certificates, or smart cards; or Something the individual is such as fingerprints, iris scans, or other biometric characteristics. clients and the Cyber Assets. permits access to BES Cyber System or Protected Cyber Asset only to those been granted access privileges by an authorized administrator. client server communications is always encrypted. Connections from the server may be encrypted to EAPs which support it. makes it technically feasible to secure interactive access to all IEDs, using strong (2- factor) authentication. s open architecture allows easy integration with various back-end authentication servers, such as RSA SecurID, RADIUS, or Active Directory. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 13
6 CIP-006-6: Cyber Security Physical Security of BES Cyber Systems 6 CIP-006-6: Cyber Security Physical Security of BES Cyber Systems Purpose R1 M1 To manage physical access to Bulk Electric System (BES) Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES. Each Responsible Entity shall implement one or more documented physical security plan(s) that collectively include all of the applicable parts in CIP-006-6 Table R1 Physical Security Plan. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning and Same Day Operations] Evidence must include each of the documented physical security plans that collectively include all of the applicable parts in CIP-006-6 Table R1 Physical Security Plan and additional evidence to demonstrate implementation of the plan or plans as described in the Measures column of the table. R2 M2 Each Responsible Entity shall implement one or more documented visitor control program(s) that include each of the applicable parts in CIP-006-6 Table R2 Visitor Control Program. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations.] Evidence must include one or more documented visitor control programs that collectively include each of the applicable parts in CIP-006-6 Table R2 Visitor Control Program and additional evidence to demonstrate implementation as described in the Measures column of the table. R3 M3 Each Responsible Entity shall implement one or more documented Physical Access Control System maintenance and testing program(s) that collectively include each of the applicable parts in CIP-006-6 Table R3 Maintenance and Testing Program. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning] Evidence must include each of the documented Physical Access Control System maintenance and testing programs that collectively include each of the applicable parts in CIP-006-6 Table R3 Maintenance and Testing Program and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 6-1: CIP-006-6: Cyber Security Physical Security of BES Cyber Systems Part Requirement or support the ALL ALL n/a (Process/documentation ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 14
7 CIP-007-6: Cyber Security Systems Security Management 7 CIP-007-6: Cyber Security Systems Security Management Purpose R1 M1 To manage system security by specifying select technical, operational, and procedural s in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the Bulk Electric System (BES). Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable parts in CIP-007-6 Table R1 Ports and Services. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations] Evidence must include the documented processes that collectively include each of the applicable parts in CIP- 007-6 Table R1 Ports and Services and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 7-1: CIP-007-6: Table R1 Ports and Services 1.1 High Impact BES Cyber Systems with External Routable Connectivity and their associated: Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed. limited to: Documentation of the need for all enabled ports on all applicable Cyber Assets and Electronic Access Points, individually or by group. Listings of the listening ports on the Cyber Assets, individually or by group, from either the device configuration files, command output (such as netstat), or network scans of open ports; or Configuration files of hostbased firewalls documents all the devices it is connected to and their applicable ports. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 15
7 CIP-007-6: Cyber Security Systems Security Management R2 1.2 High Impact BES 1. PCA; and 2. Nonprogrammable communication components located inside both a PSP and an ESP. Cyber Systems at Control Centers and 1. PCA; and 2. Nonprogrammable communication components located inside both a PSP and an ESP. Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or Removable Media. or other device level mechanisms that only allow needed ports and deny all others. limited to, documentation showing types of protection of physical input/output ports, either logically through system configuration or physically using a port lock or signage. n/a (documentation ) Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable parts in CIP-007-6 Table R2 Security Patch Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] M2 Evidence must include each of the applicable documented processes that collectively include each of the applicable parts in CIP-007-6 Table R2 Security Patch Management and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 7-2: CIP-007-6: Table R2 Security Patch Management 2.1 High Impact BES A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking limited to, documentation of a patch management process and SIEMENS performs monthly regression testing of against all supported operating systems for compatibility with NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 16
7 CIP-007-6: Cyber Security Systems Security Management 2.2 High Impact BES 2.3 High Impact BES portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists. At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions: Apply the applicable patches; or Create a dated mitigation plan; Or Revise an existing mitigation plan. Mitigation plans shall include the Responsible Entity s planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations. documentation or lists of sources that are monitored, whether on an individual BES Cyber System or Cyber Asset basis. limited to, an evaluation conducted by, referenced by, or on behalf of a Responsible Entity of security-related patches released by the documented sources at least once every 35 calendar days. limited to: Records of the installation of the patch (e.g., exports from automated patch management tools that provide installation date, verification of BES Cyber System Component software revision, or registry exports that show software has been installed); or A dated plan showing when and how the vulnerability will be addressed, to include Microsoft OS patches. A notification email is sent to all customers with current maintenance agreements within 3 weeks of the release from Microsoft. SIEMENS performs monthly regression testing of against all supported operating systems for compatibility with Microsoft OS patches. A notification email is sent to all customers with current maintenance agreements within 3 weeks of the release from Microsoft. can monitor devices for current software and configuration versions & generate reports. may be scripted to apply security patches to field devices NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 17
7 CIP-007-6: Cyber Security Systems Security Management R3 2.4 High Impact BES 2. PACS; For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate. documentation of the actions to be taken by the Responsible Entity to mitigate the vulnerabilities addressed by the security patch and a timeframe for the completion of these mitigations. limited to, records of implementation of mitigations. n/a (documentation ) Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable parts in CIP-007-6 Table R3 Malicious Code Prevention. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations] M3 Evidence must include each of the documented processes that collectively include each of the applicable parts in CIP-007-6 Table R3 Malicious Code Prevention and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 7-3: CIP-007-6: Table R3 Malicious Code Prevention 3.1 High Impact BES Deploy method(s) to deter, detect, or prevent malicious code. limited to, records of the Responsible Entity s performance of these processes (e.g., through traditional antivirus, n/a (process documentation) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 18
7 CIP-007-6: Cyber Security Systems Security Management 2. PACS; 3.2 High Impact BES 3.3 High Impact BES Mitigate the threat of detected malicious code. For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatures or patterns. The process must address testing and installing the signatures or patterns. system hardening, policies, etc.). limited to: Records of response processes for malicious code detection Records of the performance of these processes when malicious code is detected. limited to, documentation showing the process used for the update of signatures or patterns. can aggregate (using syslog) notifications from other system components, and provide user notifications. n/a (documentation ) R4 M4 Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable parts in CIP-007-6 Table R4 Security Event Monitoring. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Assessment] Evidence must include each of the documented processes that collectively include each of the applicable parts in CIP-007-6 Table R4 Security Event Monitoring and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 7-4: CIP-007-6: Table R4 Security Event Monitoring 4.1 High Impact BES Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset limited to, a paper or system generated logs activities (failed access attempts and failed login), and events for the NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 19
7 CIP-007-6: Cyber Security Systems Security Management 4.2 High Impact BES Cyber Systems with External Routable Connectivity and their associated: level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events: 4.1.1. Detected successful login attempts; 4.1.2. Detected failed access attempts and failed login attempts; 4.1.3. Detected malicious code. Generate alerts for security events that the Responsible Entity determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability): 4.2.1. Detected malicious code from Part 4.1; and listing of event types for which the BES Cyber System is capable of detecting and, for generated events, is configured to log. This listing must include the required types of events. limited to, paper or system generated listing of security events that the Responsible Entity determined necessitate alerts, including paper or system generated list showing how alerts are configured. devices it is connected to. It may aggregate events from EAPs and other devices via syslog, and generate alerts. has configurable alerts and notifications. Users may be notified within, via email, or via syslog. 4.3 High Impact BES Cyber Systems at Control Centers and 4.4 High Impact BES 4.2.2. Detected failure of Part 4.1 eventlogging. Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances. Review a summarization or limited to, documentation of the event log retention process and paper or system generated reports showing log retention configuration set at 90 days or greater. Data may be retained indefinitely within the database. Data may be retained indefinitely within the NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 20
7 CIP-007-6: Cyber Security Systems Security Management and 2. PCA sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents. limited to, documentation describing the review, any findings from the review (if any), and dated documentation showing the review occurred. database. R5 Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable parts in CIP-007-6 Table R5 System Access Controls. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] M5 Evidence must include each of the applicable documented processes that collectively include each of the applicable parts in CIP-007-6 Table 5 System Access Controls and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 7-5: CIP-007-6: Table R5 System Access Controls 5.1 High Impact BES Cyber Systems at Control Centers and Have a method(s) to enforce authentication of interactive user access, where technically feasible. limited to, documentation describing how access is authenticated. makes strong user authentication technically feasible for all device types, by authenticating users credentials against Active Directory, RADIUS, or 2-Factor Authentication (e.g.: RSA) Cyber Systems with External Routable Connectivity and their associated: 5.2 High Impact BES Identify and inventory all known enabled default or other generic account limited to, a listing of generally eliminates the need for shared accounts. Every user NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 21
7 CIP-007-6: Cyber Security Systems Security Management 5.3 High Impact BES Cyber Systems with External Routable Connectivity and their associated: 5.4 High Impact BES 5.5 High Impact BES types, either by system, by groups of systems, by location, or by system type(s). Identify individuals who have authorized access to shared accounts. Change known default passwords, per Cyber Asset capability For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: 5.5.1. Password length that is, accounts by account types showing the enabled or generic account types in use for the BES Cyber System. limited to, listing of shared accounts and the individuals who have authorized access to each shared account. limited to: Records of a procedure that passwords are changed when new devices are in production; or Documentation in system manuals or other vendor documents showing default vendor passwords were generated pseudo-randomly and are thereby unique to the device. limited to: Systemgenerated reports or screen-shots of the system enforced password has their own unique account for all activities. The server becomes the only user that connects to devices. Systems are normally configured so that the system is the only user to access device accounts. then manages individual user access permissions. allows changing the default password of all devices at any given time to a specific or randomly generated new password. has a build-in report to show all devices and the age of all current passwords. can enforce password length and complexity rules, specified by device type. Passwords may be automatically changed on a configurable time NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 22
7 CIP-007-6: Cyber Security Systems Security Management 5.6 High Impact BES Cyber Systems with External Routable Connectivity and their associated: 5.7 High Impact BES at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and 5.5.2. Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, nonalphanumeric ) or the maximum complexity supported by the Cyber Asset. Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months. Where technically feasible, either: Limit the number of unsuccessful authentication attempts; or Generate alerts after parameters, including length and complexity; or Attestations that include a reference to the documented procedures that were followed. limited to: Systemgenerated reports or screen-shots of the system enforced periodicity of changing passwords; or Attestations that include a reference to the documented procedures that were followed. limited to: Documentation of the account lockout interval. supports various back-end authentication systems (Active Directory, RADIUS, RSA SecurID) that enforce user password rules. will disable a user account after a configurable number of failed login attempts. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 23
7 CIP-007-6: Cyber Security Systems Security Management Cyber Systems at Control Centers and a threshold of unsuccessful authentication attempts. parameters; or Rules in the alerting configuration showing how the system notified individuals after a determined number of unsuccessful login attempts. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 24
8 CIP-008-5: Cyber Security Incident Reporting and Response Planning 8 CIP-008-5: Cyber Security Incident Reporting and Response Planning Purpose R1 M1 To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response s. Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each of the applicable parts in CIP-008-5 Table R1 Cyber Security Incident Response Plan Specifications. [Violation Risk Factor: Lower] [Time Horizon: Long Term Planning] Evidence must include each of the documented plan(s) that collectively include each of the applicable parts in CIP-008-5 Table R1 Cyber Security Incident Response Plan Specifications. Table 8-1: CIP-008-5: Table R1 System Access Control 1.1 High Impact BES Cyber Systems Cyber Systems 1.2 High Impact BES Cyber Systems Cyber Systems One or more processes to identify, classify, and respond to Cyber Security Incidents. One or more processes to determine if an identified Cyber Security Incident is a Reportable Cyber Security Incident and notify the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law. Initial notification to the ES-ISAC, which may be only a preliminary notice, shall not exceed one hour from the determination of a Reportable Cyber Security Incident. limited to, dated documentation of Cyber Security Incident response plan(s) that include the process to identify, classify, and respond to Cyber Security Incidents. limited to, dated documentation of Cyber Security Incident response plan(s) that provide guidance or thresholds for determining which Cyber Security Incidents are also Reportable Cyber Security Incidents and documentation of initial notices to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). All security events within are available through reports, syslog, or email. n/a (documentation ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 25
8 CIP-008-5: Cyber Security Incident Reporting and Response Planning R2 1.3 High Impact BES Cyber Systems Cyber Systems 1.4 High Impact BES Cyber Systems Cyber Systems The roles and responsibilities of Cyber Security Incident response groups or individuals. Incident handling procedures for Cyber Security Incidents. limited to, dated Cyber Security Incident response process(es) or procedure(s) that define roles and responsibilities (e.g., monitoring, reporting, initiating, documenting, etc.) of Cyber Security Incident response groups or individuals. limited to, dated Cyber Security Incident response process(es) or procedure(s) that address incident handling (e.g., containment, eradication, recovery/incident resolution). n/a (process documentation ) n/a (process documentation ) Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable parts in CIP-008-5 Table R2 Cyber Security Incident Response Plan Implementation and Testing. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning and Real-Time Operations] M2 Evidence must limited to, documentation that collectively demonstrates implementation of each of the applicable parts in CIP- 008-5 Table R2 Cyber Security Incident Response Plan Implementation and Testing. Table 8-2: CIP-008-5: Table R2 Cyber Security Incident Response Plan Implementation and Testing ALL ALL ALL ALL n/a (process documentation ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 26
8 CIP-008-5: Cyber Security Incident Reporting and Response Planning R3 M3 Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of the applicable parts in CIP-008-5 Table R3 Cyber Security Incident Response Plan Review, Update, and Communication. [Violation Risk Factor: Lower] [Time Horizon: Operations Assessment] Evidence must limited to, documentation that collectively demonstrates maintenance of each Cyber Security Incident response plan according to the applicable parts in CIP-008-5 Table R3 Cyber Security Incident. Table 8-3: CIP-008-5: Table R3 Cyber Security Incident Response Plan Review, Update, and Communication ALL ALL ALL ALL n/a (process documentation ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 27
9 CIP-009-6: Cyber Security Recovery Plans for BES Cyber Systems 9 CIP-009-6: Cyber Security Recovery Plans for BES Cyber Systems Purpose R1 M1 To recover reliability functions performed by BES Cyber Systems by specifying recovery plan s in support of the continued stability, operability, and reliability of the BES. Each Responsible Entity shall have one or more documented recovery plan(s) that collectively include each of the applicable parts in CIP-009-6 Table R1 Recovery Plan Specifications. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning] Evidence must include the documented recovery plan(s) that collectively include the applicable parts in CIP-009-6 Table R1 Recovery Plan Specifications. Table 9-1: CIP-009-6: Table R1 thru R3 Recovery Plans for BES Cyber Systems ALL ALL ALL ALL n/a (process documentation ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 28
10 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability 10 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability Purpose R1 To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment s in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES). Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable parts in CIP-010-2 Table R1 Configuration Change Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] M1 Evidence must include each of the applicable documented processes that collectively include each of the applicable parts in CIP-010-2 Table R1 Configuration Change Management and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 10-1: CIP-010-2: Table R1 Configuration Change Management 1.1 High Impact BES Develop a baseline configuration, individually or by group, which shall include the following items: 1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists; 1.1.2. Any commercially available or open-source application software (including version) intentionally installed; 1.1.3. Any custom software limited to: A spreadsheet identifying the required items of the baseline configuration for each Cyber Asset, individually or by group; or A record in an asset management system that identifies the required items of the baseline configuration for each Cyber Asset, individually or by group. can create a baseline record for all cyber assets. Reports are available which document firmware versions of all cyber assets. NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 29
10 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability installed; 1.1.4. Any logical network accessible ports; and 1.1.5. Any security patches applied. 1.2 High Impact BES 1.3 High Impact BES 1.4 High Impact BES Authorize and document changes that deviate from the existing baseline configuration. For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. For a change that deviates from the existing baseline configuration: 1.4.1. Prior to the change, determine required cyber security controls in CIP-005 and limited to: A change request record and associated electronic authorization (performed by the individual or group with the authority to authorize the change) in a change management system for each change; or Documentation that the change was performed in accordance with the. limited to, updated baseline documentation with a date that is within 30 calendar days of the date of the completion of the change. limited to, a list of cyber security controls verified or tested along with the dated test results. may be used to automate many device monitoring tasks, such as verifying firmware version, and comparing current configuration to an approved baseline. Configuration changes are logged in the database. provides a simple 1- click method for taking a snapshot of a device configuration and marking it as baseline. n/a (process ) NERC CIP Compliance Matrix of RUGGEDCOM Entry-ID: 109747098, 1.0, 04/2017 30